U.S. Agencies Revamp Standards for Cybersecurity Program

John Lew for the U. of Tulsa

Computer-science students at the U. of Tulsa defuse a simulated bomb.

By Megan O'Neil

Nearly 200 college and university cybersecurity programs will have to reapply for a coveted federal designation under new curriculum standards being rolled out by the National Security Agency and the U.S. Department of Homeland Security.

The retooling of the joint National Centers of Academic Excellence program includes the elimination of dated, controversial federal training standards. They are being replaced with curricular blocks, dubbed "knowledge units," that officials say will enable colleges to develop cybersecurity focus areas while also allowing them to respond to employers' needs in a fluid marketplace.

There are currently 181 cyber­security programs with the designation at two- and four-year institutions, teaching everything from introductory programming to offensive hacking techniques. The label can be a game changer, attracting money, students, and prestige, according to some college officials.

The program's revamping coincides with intense public scrutiny of the cybersecurity field in the wake of disclosures made by Edward J. Snowden, the former Booz Allen Hamilton contractor, about government surveillance. It also comes as government officials, educators, and private companies wrestle with how best to educate the right number of workers with the right skills needed to protect critical infrastructure, economic interests, and personal data in an increasingly networked world.

"Every cybersecurity professional that comes out of college and takes a job is a win for the government, whether they work for John Deere, Boeing, or Target," says Robin (Montana) Williams, branch chief of cybersecurity­-education awareness at the Homeland Security Department. The country is at a critical juncture "as to where we go next in a world that is interconnected and in which cybercrime globally costs us $388-billion a year. We are losing intellectual property. We are losing our nation's work and our nation's vision and our nation's ingenuity because we are not able to protect it," he says.

While discussions of cyber­security may conjure images of self-taught hackers too engrossed in their computers to attend class, most government agencies and top security firms will not consider candidates without a baccalaureate degree. Colleges are not producing them quickly enough, according to work-force studies.

"There is a real need­—that is clear," says Diana Burley, an associate professor at George Washington University who helped write a recent National Research Council report about the professionalization of the cybersecurity field. "What is less clear is exactly what that need is both in terms of the overall number and in the particular areas of the work force that we have to produce people to fill."

The academic-excellence program was started by the NSA in 1998 in an early attempt to widen the pipeline. The first seven university­-level programs were certified in 1999.

Homeland Security became a partner in 2004. Community colleges were added in 2010, and are now 33 of the 181 designees.

'Centers of Adequacy'?

The Centers of Academic Excellence label has the power to put colleges' cybersecurity programs on the map, educators say. It differentiates them in marketing materials and attracts employers to campuses. Students and programs are eligible for tens of millions of dollars in federal scholarships and grants, many administered by the National Science Foundation. Corrinne Sande, head of the Cybersecurity Center at Whatcom Community College, in northwestern Washington State, says that acquiring the designation in 2011 was "the best thing we ever did."

"It increased my enrollment quite a bit," Ms. Sande says. "Many students have told me the only reason they came to my college is because of the designation."

Still, the academic-excellence program has faced criticism. The former training guidelines, called the Committee on National Security Systems standards, were a lightning rod. Unlike educational standards, they prescribed teaching students how to execute specific technical functions.

Critics argued that the standards were an inappropriate fit for academe. Others said that the NSA and the Homeland Security Department diluted the value of the academic-excellence designation by awarding it to too many college programs, among which the quality of resources and education varies widely. One of the most prominent critics has been Eugene H. Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University. His was one of the original seven to qualify for the federal designation.

"The program at this size is actually a Centers of Adequacy program," Mr. Spafford, known to many as "Spaf," wrote in a much-quoted blog post in 2008. "That isn't intended to be pejorative. It is simply a statement about the size of the program and the nature of the requirements."

Rapid Change

In the fall of 2012, the NSA and the Homeland Security Department started a yearlong process to replace the old standards, soliciting feedback from educators and industry representatives. The new "knowledge units" include a core curriculum as well as additional, optional units that colleges can adopt to develop specialties such as cyberinvestigations, data-security analysis, health-care security, and systems-security engineering.

"Our intention is to continually update the program so that students are always presented with material that is cutting-edge," Denisha Jackson, who heads the Centers of Academic Excellence program for the NSA, says in an e-mail. "The knowledge-units concept will be much easier to update as government, industry, and academia identify needed changes."

Programs that now have the academic­-excellence label are not guaranteed to retain the designation—they must reapply. NSA officials say they have set a rigorous schedule to process all of the redesignation applications and make site visits by December 2014 before they begin accepting new applicants.

Many observers say that the changes are a step in the right direction. "First, they are upping the bar," says Sujeet Shenoi, founder and director of the University of Tulsa's cyber-operations program, one of the most prestigious in the country and one of those carrying the academic-excellence designation. "They are making it more intense. The second thing is, this is a field that changes drastically, and of course we need to update."

Still, others say the changes fall short. Fostering quality in cyber­security education requires additional resources such as laboratories and teaching materials, Mr. Spafford said. The government should also consider subsidizing teaching salaries to draw top-flight professionals who can earn twice as much at a private company as in a classroom.

"It is an aspirational goal; it is not a recognition of reality," Mr. Spafford said of the academic-excellence designation. "It is not bad to have an aspirational goal, but the resources to actually move in that direction and strengthen the schools that have the designation have been lacking all along."

Others say that tension continues between those who want to see emphasis placed on purely technical education and those who favor an interdisciplinary approach.

"I definitely see this as long-­overdue change," says Victor Piot­rowski, who in his role at the National Science Foundation helps oversee millions of dollars in annual spending on postsecondary cybersecurity education and work-force development. "The step is in the right direction, but the big question is, is it going to be executed effectively? We will see in a couple of years how it works out."